system check message question

Tue May 1 23:52:44 PDT 2001

Jeff,

	Thanks for the info, and yes, I do subscribe to SECURITYFOCUS...  I
find it interesting to see what everyone is up to.  I must admit though, I
don't understand it all yet...

Still learning,

Ben 

On Tue, 01 May 2001, you wrote:
> Alot of the time, attackers are not really interested in getting a direct
> response from a target computer.  One of the attacks that has been under
> discussion recently involves a trojan program which opens a raw socket a
> listens for traffic that matches a particular pattern.  Because it uses a
> raw socket, it acts simillar to a promiscuous interface and isn't fully
> bound to a particular port number.  This way it won't show up as an open
> socket on port scans.  Once it finds a 'trigger' packet it will fully bind
> to a port for x amount of time and send an 'I am rooted' message to
> whereever its set for.  Since these types of attacks do not directly
> contact the attacking host, spoofed IP's work fine.  I'm sure there are
> other uses for spoofed ip besides this and DOS attacks.
> 
> Note:  Last I heard several of these single packet to port 31137 incidents
> have been tracked back to a road runner address.  If your interesting in
> keeping up with the latest in security, etc. check out
> www.securityfocus.com .  They have several mailing lists for security
> issues and get alot of traffic.  To much traffic actually, I find myself
> just hitting delete on those messages automatically :(
> 
> Jeff Wong
> 
> 
> On Tue, 1 May 2001, jay wrote:
> 
> > what i don't understand is where would spoofing 1.2.3.4 get you
> > unless you were either using loose source routing or sniffing
> > traffic on the same wire and could see an ack go out?
> > that one entry doesn't look like an attempt at a DDOS.  unless
> > they were using the nmap decoy option, but then you'd be seeing
> > other scans on that port by different IPs...
> >
> > am i thinking about this too much?
> > time for a nap.
> >
> > =jay
> >
> > On Mon, 30 Apr 2001, Jeffrey Wong wrote:
> >
> > > There have been alot of reports of people seeing the exact same thing over
> > > the last two weeks.  I havn't really heard much about it besides that its
> > > been seen though.  It seems to (so far) be just a passive scan with no
> > > accompaning attacks, although I'd assume that if you do have Back Orifice
> > > installed . . .  1.2.3.4 is just one of the more commonly spoofed IP's.
> > > In fact its used as an example IP in alot of different places.  I guess
> > > these new script kiddies either have no imagination, or no idea that they
> > > can change it ;)
> > >
> > > Jeff Wong
> > >
> > > On Mon, 30 Apr 2001, Ben Beeson wrote:
> > >
> > > > Aloha all,
> > > >
> > > > 	The below line appeared in my /var/log/messages file and I am curious
> > > > about it.  I think port 31337 is for Back Orifice, a windows attack that I
> > > > should be relatively immune from.  However, that said, I am curious how the IP
> > > > address 1.2.3.4 materialized.  I am not sure that this is a 'legal' address.
> > > > 'dig' returns nothing.....  Has anyone else seen this???
> > > >
> > > > Thanks,
> > > >
> > > > Ben
> > > >
> > > >
> > > > Security Violations
> > > > =-=-=-=-=-=-=-=-=-=
> > > > Apr 29 16:50:39 kernel: Packet log: input DENY eth0 PROTO=17 1.2.3.4:1024 24.94.83.89:31337 L=81 S=0x00 I=20326 F=0x0000 T=111 (#8)
> > > >
> > > > ---
> > > > You are currently subscribed to luau as: jmwong at math.ed.hawaii.edu
> > > > To unsubscribe send a blank email to $subst('Email.Unsub')
> > > >
> > >
> > >
> > > ---
> > > You are currently subscribed to luau as: jay at musubi.org
> > > To unsubscribe send a blank email to $subst('Email.Unsub')
> > >
> >
> >
> > ---
> > You are currently subscribed to luau as: jmwong at math.ed.hawaii.edu
> > To unsubscribe send a blank email to $subst('Email.Unsub')
> >
> 
> 
> ---
> You are currently subscribed to luau as: beesond001 at hawaii.rr.com
> To unsubscribe send a blank email to $subst('Email.Unsub')